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System Configuration Requirements 


e Set PowerShell Execution Policies 

e Verify WinRM IIS Extensions 

e Enable Windows Authentication for PowerShell Virtual Directory 
e Verify SSL setting for PowerShell Virtual Directory 

e Verify the application pool for PowerShell Virtual Directory 

e Verify the Security in for PowerShell Virtual Directory 


1. Open a Windows PowerShell window you open by selecting Run as administrator and run 
the command as shown: 


Set-ExecutionPolicy RemoteSigned 


ey 


windows PowerShell | 
Copyright (C) 2013 Microsoft Corporation. A11 rights reserved. 


PS C:\Windows\system32> Set-ExecutionPolicy RemoteSigned 


Execution Policy Change 
The execution policy helps protect you from scripts that you do not trust. Changing 
the execution policy might expose you to the security risks described in the 
about_Execution_Policies help topic at 

ETP BPA ie Meshal COMA RWT ankak TOETST Do you want to change the execution 
policy? 

[N] No [S] Suspend [?] Help (default is "Y"): Y 
PS C:\Windows\system32> 


2. Enable the WinRM IIS Extensions under Add Roles and Features in Server Manager: 


Windows Remote Management (WinRM) IIS Extension enables a server to receive a 
management request from a client computer by using the WS-Management protocol. 
WinRM is the Microsoft implementation of the WS-Management protocol. This helps 
secure communication between local and remote computers by using Web-based 
services. 


Steps are shown below: 
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Tim Add Roles and Features Wizard 


Select features 


Before You Begin 
Installation Type 
Server Selection 
Server Roles 


Confirmation 


fe Add Roles and Features Wizard 


Select one or more features to install on the selected server. 


Features 


DOODOSSOOsSOOC! 


Telnet Client 

TFTP Client 

VM Shielding Tools for Fabric Management 
Windows Biometric Framework 

Windows Defender Features (Installed) 

Windows Identity Foundation 3.5 

Windows Internal Database 

Windows PowerShell (2 of 5 installed) 

Windows Process Activation Service (2 of 3 installe 
Windows Search Service 

Windows Server Backup 

Windows Server Migration Tools 

Windows Standards-Based Storage Management 


Wireless LAN Service 
WoW64 Support (Installed) 
XPS Viewer 


DESTINATION SERVER 
SVR1.winadminsjocal 


Description 

Windows Remote Management 
(WinRM) IIS Extension enables a 
server to receive a management 
request from a client by using WS- 
Management. WinRM is the 
Microsoft implementation of the 
WS-Management protocol which 
provides a secure way to 
communicate with local and remote 
computers by using Web services. 


Install 


DESTINATION SERVER 
SVR1winadmins jocal 


Installation progress 


View installation progress 


ih) Feature installation 
ee 
Installation succeeded on SVR1.winadmins.local 


WinRM IIS Extension 


You can close this wizard without interrupting running tasks. View task progress or open this 
page again by clicking Notifications in the command bar, and then Task Details. 


Export configuration settings 


< Previous | 


3. Login to your Exchange 2010+ server and enable the Windows Authentication on the 
PowerShell site: 
Open “Internet Information Services (IIS) Manager” console. 
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Connect to the Exchange Server. 
Open: Sites -> “Name of your Exchange Site” -> PowerShell and Open Authentication as 
shown: 


Enable Windows Authentication. Right click the same and Select Providers as — Negotiate as 
shown: 
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Providers: 


Enabled Providers: 


Negotiate 


Select a provider from the list of available providers and click Add 
to add it to the enabled providers. 


Available Providers: 


4. For using http URI to access PowerShell Virtual Directory, Disable the SSL checking (with 
ignore) for the PowerShell Virtual Directory as well as Default IIS site as shown: 


PowerShell Virtual Directory: 
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Default Web Site: 


Disable “Require SSL”: 


C ©} > CEXCHANGE2013MB > Sites » Default WebSite » PowerShell > 


File View Help 


e- Hale Fig SSL Settings 


Ta corsa ONNE This page lets you modify the SSL settings for the content of a website or application. 
{2 Application Pools 
4B se Client certificates: 
4 @ Default Web Site 
b- aspnet client © ignore 
b@ Autodiscover O Accept 
b-i bin 
bO ep 
b-@ ws 
raed 
b- Microsoft-Server-ActiveSync 


Require 


> 
b 

PowerShell 
b® Rpc 

> -@ Exchange Back End 


P.S.: Remember to Click on Apply to save the changes. 


5. Also, under Powershell Virtual Directory — Basic Settings + Make sure you have the 
Correct application pool (MSExchangePowerShellAppPool or 
MSExchangePowerShellFrontEndAppPool) and Physical path (C:\Program 
Files\Microsoft\Exchange Server\V<Exchange Version>\ClientAccess\PowerShell) selected 
to access the PowerShell virtual directory on the host under IIS root as shown: 


D > CEACHANGHSUNG + Sim » Orlodt ob Sae » Powe + 


+ @ hang Bak End 


Microsoft Exchange Server Scan User Privileges and Configurations 6 


6. Also make sure the Exchange user has read permissions on the Physical path specified. 


To do this go to PowerShell Virtual Directory — Edit Permissions — Security tab — Assign 
read permissions to user performing the scan as shown: 


(D> CEICHANGEDOTEME + Stes > Defaut Web Ste + PowerShell » 


® PowerShell Home 


So - Show All| Group by: category 


ro 
> @ Exchange BackEnd 
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Scan User Privilege 


e Add new user account in Active Directory 
e Add Roles/Group membership for new created user account 


e Enable Remote PowerShell for new created user account 


Creating a new user account as a MS Exchange scan user in Active Directory 


1. Open Server Manager and select Active Directory Users and Computers from the Tools 
menu. 


2. Inthe left pane of ADUC, expand your domain and click the Users container. 


3. Inthe right pane, right click some empty space and select New > User from the menu as 
shown: 


File Action View Help 


e| 20 ¢o|\XOGs\ Em S k iY ak 


E Active Directory Users and Computers [com20|| Name Type Description 
b E Saved Queries & Administrator User Built-in account for ad... 
4 =] com2012r2.comp.rdlab.qualys.com 3 ahu User 
b ©) Builtin & ahu2 User 
b D Computers &, ahu2-group Security Group... 
b E] Domain Controllers &, Allowed RODC Password Replication Group Security Group... Members in this group c... 
b ©) ForeignSecurityPrincipals Rg Cert Publishers Security Group... Members of this group ... 


p D] LostAndFound 

p D] Managed Service Accounts 

b E] Microsoft Exchange Security Groups 
p D] Program Data 


a, Cloneable Domain Controllers Security Group... Members of this group t... 
è, Denied RODC Password Replication Group Security Group... Members in this group c... 
$ DiscoverySearchMailbox {D919BA05-46A6... User 


> [El System &, DnsAdmins Security Group... DNS Administrators Gro... 
Bu è, DnsUpdateProxy Security Group... DNS clients who are per... 
> Delegate Control... &, Domain Admins Security Group... Designated administrato... 
>a Find... &, Domain Computers Security Group... All workstations and ser... 
>a "Tone SSS Tee j “ Security Group... All domain controllers i... 
ea Security Group... All domain guests 
All Tasks Ls Contact Security Group... All domain users 
View » Group Security Group... Designated administrato... 
Refresh InetOrgPerson Security Group... Members of this group ... 
A msDS-ResourcePropertyList User 
r msExchDynamicDistributionList pe 
Properties i User 
msimaging-PSPs Deer 
Ld) MSMQ Queue Alias aa 
Printer f-... User 
E Security Group... Members in this group c... 
Shared Folder User Built-in account for gue... 
we krorgr User Key Distribution Center ... 
È. Migration.8f3e7716-2011-43e4-96b1-aba6... User 
& pcdev1 User 
&, Protected Users Security Group... Members of this group ... 
ÅR, RAS and IAS Servers Security Group... Servers in this group can... 
8 ray User 
È, rdlab User 
& Read-only Domain Controllers Security Group... Members of this group ... 
& Schema Admins Security Group... Designated administrato... 
$ sharepoint 2010 User 
oo bres - 


Create a new object... 
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4. Inthe New Object- User dialog, enter a First name, Last name, User logon name and 
then click Next as shown: 


5. Type and confirm a Password, then click Next. 


D cen LAA ee 


_ 
ct 
[_] User must change password at next logon 

[C] User cannot change password 

[V] Password never expires 

[C] Account is disabled 
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6. Check the information for the new user on the confirmation screen and click Finish : 


BR cxscr 


When you click Finish, the following object will be created: 


Add Roles/Group membership for new created user account 


The user performing the scan should be an Exchange AD user with following Roles/Group 
membership configurations to run specific Exchange PowerShell Cmdlets 


Ensure the user is a part of Exchange Management Role Groups to run specific set of Exchange 
PowerShell cmdlets as mentioned below: 


Procedure (Perform using Domain Administrator user) as shown: 


To assign a specific role to the user Navigate to: 
Active Directory Users and Computers (dsa.msc) — Under "Microsoft Exchange Security 
Groups" — Right click the required group and add the "Exchange user" to Exchange Role Group as 
per requirement listed below: 
e §=IIS_IUSRS 
e Organization Management 
e Domain Users 
e View-Only Audit Logs management 


Feature/Exchange Cmdlets Exchange Role/Security Group membership required 
Category 


Administrator audit logging | Organization Management 
Records Management 
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Feature/Exchange Cmdlets Exchange Role/Security Group membership required 
Category 


Exchange admin center View-Only Organization Management 
configuration settings 
Exchange admin center Organization Management 
connectivity Server Management 
Exchange server Organization Management 
configuration settings Server Management 
Exchange Help settings Organization Management 
Message categories Organization Management 

Hygiene Management 


Recipient Management 


Help Desk 
Product key Organization Management 
Test system health Organization Management 


Server Management 


View-only administrator Organization Management 

audit logging Records Management 
Note: You can also manually assign the View-Only Audit Logs 
management role toa management role group. For more 
information, see View-Only Audit Logs. 


Write to audit log Users that are members of any role group or assigned any 
management role can write to the administrator audit log. 


Active Directory Domain Organization Management 

Services server settings Server Management 
Recipient Management 
UM Management 


Cmdlet extension agents Organization Management 
PowerShell virtual Organization Management 
directories Server Management 
PowerShell and WinRM Local Server Administrator 
installation 

Remote PowerShell Organization Management 
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View Help 
4oO|XGea\Em $ airar 
E Active Directory Users and Computers [com20|| Name Description 
E Saved Queries & Administrator Built-in account for ad... 


8 ahu 


b E Builtin È ahu2 
p E Computers 88 ahu2-group Security Group... 
> E Domain Controllers & Allowed RODC Password Replication Group Security Group... Members in this group €... 
> EÈ ForeignSecurityPrincipals a, Cert Publishers Security Group... Members of this group ... 
> Mh LostAndFoma &, Cloneable Domain Controllers Security Group... Members of this group t... 
i = AER AEE CaA m è, Denied RODC Password Replication Group Security Group... Members in this group c... 
apea 8, DiscoverySearchMailbox {D919BA05-46A6... User 
&, DnsAdmins Security Group... DNS Administrators 
è, DnsUpdateProxy Security Group... DNS clients who are aaa] 


hange System Objects || 8% Domain Admins Security Group... Designated admin Remote Desktop Services Profile COM+ Attribute Editor 
& Domain Computers Security Group... All workstations and General I ‘Address | Account | Profile || Telephones | Organization 
p D TPM Devices & Domain Controllers Security Group... All domain controll Published Certificates ‘Of | Password Replication | Dialin | Object 
Å, Domain Guests Security Group... All domain guests 
&, Domain Users Security Group... All domain users 
& Enterprise Admins Security Group... Designated adppint z Active Directory Dome ^ 


nterprise Read-only Domain Controllers Security Group... fs of this gror com2012r2.comp dial 
com2012r2.comp rdlal 
exchange 2010 


com20122.comp rdlal 
com2012r2.comp dial 
& a com2012r2.comp dial 
8 exchange 2016 

È; Exchange Online-ApplicationAccount 

R; FederatedEmail.4c1f4d8b-8179-4148-93bF-... 

&, Group Policy Creator Owners Security Group... Members in this grov 
R; Guest User Built-in account for 
Bi kerbtgt User Key Distribution Cen 
& Migration.8f3e7716-2011-43e4-96b1-aba6... User 

Bi pcdevt User 

& Protected Users Security Group... Members of this gro 
ÅR, RAS and IAS Servers Security Group... Servers in this group Samay Gem] [narisnaneedte change Pinay oup uiess 
Bry User applications. 

È rdlab User 

a, Read-only Domain Controllers Security Group... Members of this gro 
è, Schema Admins Security Group.. Designated admini 
& sharepoint 2010 

8 sharepoint 2013 Ex] 
E sharepoint 2016 

& sharepoint 2019 

& SystemMailbox{1f05a927-de52-4715-87af-... 

R SystemMailbox{bb558c35-97f1-4cb9-8ff7-... 

8, SystemMailbox{e0dc1c29-89c3-4034-b678... 

& testmb 


Primary group: Domain Users 


Remote Desktop Services Profile | 
General | Address | Account | Profile | Telephones | Organization 
Published Certificates | Member Of | Password Replication | Dialin | Object 


Member of: 

Name Active Directory Domain Services Folder 
Domain Users TOTT M n/User! 
IIS_IUSRS 7 ii Be VBuiltil 
Organization Management D i a /Micre 
View-Only Organization Man... 7" "—_ | /Micre 


[naa] [rene 


Primary group: Domain Users 


Sa | There is no need to change Primary group unless 
Set Primary Group | you have Macintosh clients or POSIX-compliant 
applications. 
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Enable Remote PowerShell for new created user account 


(Open a Windows PowerShell window you open by selecting Run as administrator) and run the 
command as shown: 


Set-User "“qualys scan” -RemotePowerShellEnabled $True 


X 


PS C:\Windows \system32> Add-PSSnapin_ Microsoft .Exchange.Management .PowerShel1.Snapin; 
PS C:\Windows\system32> Set-User qualys_scan -RemotePowerShellEnabled $True 


PS C:\Windows\system32> Get-User qualys_scan | fl name, RemotePowerShellEnabled 


Name : qualys_scan 
RemotePowerShellEnabled : True 
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Verify scan user membership and test connection by PowerShell 
script 


e Verify the membership of groups assigned to users 
e Test connect to MS Exchange Server via Remote PowerShell 


Verify the membership of groups assigned to users 


Using below PowerShell commands we can also verify the above membership of groups assigned 
to users in AD: 

Note: Firstly, your user must be assigned the Role Management management role to run the Get- 
ManagementRoleAssignment cmadlet. 


Below is the PowerShell Command: 
Get-ManagementRoleAssignment -RoleAssignee <Scan User Name> 


Test connect to MS Exchange Server via Remote PowerShell 
Steps required to connect to PowerShell Virtual Directory using PS Script : 
Open PowerShell or PowerShell ISE with “Run as Administrator” and insert below code as shown: 


Susername="<DomainName>\<ScanUserName>" 
$tvar = "<Password Of Scan User>" 
Spassword = ConvertTo-SecureString -string $tvar -asPlainText -force 
$Credentials = New-Object 
System.Management .Automation.PSCredential ($username , $password) 
$Session = New-PSSession -SessionOption (New-PSsessionOption -SkipCACheck 
-SkipCNCheck) -ConfigurationName Microsoft.Exchange -ConnectionUri 
http: //<FQDN of Exchange Server Host>:80/powershell -authentication 
Kerberos -Credential $Credentials 
Import-PSSession $Session —-AllowClobber 
#You Can test any Exchange PowerShell Command as shown in below line: 
Get-PopSettings | fl -property LoginType 
Remove-PSSession $Session 


Run the above code with correct input details as per your host setup and you should be able 
to see the connection result as follows (Following is an example scenario): 


This ensures you 
are able to connect 
the PowerShell 
Virtual Directory 
using Remote 
PowerShell with 
the Scan User 
specified. 
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Manage Authentication Records 


Create an MS Exchange Server record in order to authenticate to a Microsoft Exchange Server 
running on a Windows host, and scan it for compliance. Windows authentication is required so 
you'll also need a Windows record for the host running the web server. 


Which technologies are supported? 


For the most current list of supported authentication technologies and the versions that have 
been certified for VM and PC by record type, please refer to the following article: 


Authentication Technologies Matrix 

Create one or more Windows Records 

- Go to Scans > Authentication. 

- Check that you have a Windows record already defined for the host running the web server. 


- Create an MS Exchange Server record for the same host. Go to New > Applications > MS 
Exchange Server. 


‘== Scans | Scans Maps Schedules Appliances 
[E| | Search 
v | New w | 
ie] iting Systems... 
T] Network oe en Title 
| Network and Security... b | 
Global Default) Applications... >] Apache Web Server 
Global Default, Databases... > Docker f 
VMware. > HTTP 
Agent Test 4 
System Record Templates... > IBM WebSphere App Server 
Global Default Jboss Server 
Authentication Vaults 
Global Default MS Exchange Server 
Download... | MSIS 
E] Global Default Network Unix 
MS SharePoint 
Agent Test Unix Oracle HTTP Server 
Global Default Network Unix Oracio Weblogic Sanar 
Tomcat Server 
Global Default Network Oracle moomecunuc 


Which users have permission to create records? 


Managers can add authentication records. Unit Managers must be granted these permissions: 
- Manage PC module 
- Create/edit authentication records/vaults 
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How does it work? 


We'll authenticate to each target host using the credentials provided in the Windows record. If 
the host is running an MS Exchange Server, then we'll check to see if an MS Exchange Server 
record exists. If yes, we'll use credentials from the Windows record to authenticate to the 
Windows system, access the web server configuration, and scan it for compliance. 
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